Thanks for the suggestion, I'll give that a go. I think the auditors will still require the test results for both compliant and non-compliant results, so I may need to produce separate reports for each. If you have any other suggestions to reduce the overall volume, please let me know.
Original Message:
Sent: Fri July 05, 2024 05:20 AM
From: Ronald van der Laan
Subject: zSecure STIG Compliance - Test Details report query
Hi Nathan,
If you insert the following piece of CARLa between your alloc and newlist statements, you will only get the not-compliant or undecided results:
define type=compliance compliance_exclude boolean where, not(test_noncompliant), (goal_compliant or goal_noncompliant or, (not(goal_assert_expired) and, (goal_assert_as=('compliant'c,'noncompliant'c))) or, rule_exempt or control_not_applicable)
This code is generated by the AU.R.E menu, when you select the Non-compliant and Unknown flags.
Ronald
------------------------------
Ronald van der Laan
Original Message:
Sent: Fri July 05, 2024 03:00 AM
From: Nathan Shrive
Subject: zSecure STIG Compliance - Test Details report query
Hi team,
Hope you are all well. We're currently attempting to implement zSecure STIG health checks across our ACF2 and RACF environments.
My intention is when the compliance batch jobs run, it will produce a tab separated summary report and detailed test result report. On our test ACF2 system I am getting an enormous amount of data in the detailed test report (1.6m rows). From what I can see most of the volume comes from situations where it is checking IDs against many similarly named resources. In the below example the data is taken from the resource field of the detailed test report, for each RQM ID there are approx 1000 rows like below just for this control.
ACF2-JS-000050 Security JES2 spool resources IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000110.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000111.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000112.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000113.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000114.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000115.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000127.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000107.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000108.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000113.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000118.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000123.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000124.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000125.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000126.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000127.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000128.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000129.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000130.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
Is there anyway you can think of that I can reduce the size of my report without losing the meaningful information I require (eg. ID RQMP2U has non-compliant access via rule JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW))?
For your reference the CARLA is below. Thanks very much for any suggestions you have.
ALLOC TYPE=OUTPUT DD=SHCOWN
DEFTYPE TYPE=$cntrlown
ALLOC TYPE=$cntrlown DD=SHCOWN
DEFINE TYPE=$cntrlown rulenm(20,CHAR) AS WORD(RECORD,1)
DEFINE TYPE=$cntrlown cntrlown(20,CHAR) AS WORD(RECORD,2)
n type=compliance name=check name=LSTGOALS required,
prefixlen=0 prefixsep=' ' header=tsvt dd=rptfull
exclude ifdefined(COMPLIANCE_EXCLUDE)
define flg_compliant min(goal_compliant)
define flg_compliant2 boolean where goal_compliant=yes
define flg_noncomply boolean where goal_noncompliant=yes,
not(rule_exempt=yes)
define flg_undecided boolean where,
not(goal_compliant or goal_noncompliant or,
(not(goal_assert_expired) and,
(goal_assert_as='compliant'c or,
goal_assert_as='noncompliant'c)) or,
rule_exempt or control_not_applicable)
define flg_base boolean where goal_base_field<>' '
define flg_object('object',6,hb) boolean where exists(class)
define highprio('Pri',2,dec$blank,bw) max(auditpriority)
define flg_result_no("Didn't find",hb) boolean where,
(goal_test_result=no not(goal_assert_expired))
define once(0 hb ' ' noretain) TRUE /* literal to be printed once */
define once_no_assert(0 hb ' ' noretain) TRUE where not(goal_assert)
define flg_asserted('Asserted as',11,cond) true where,
goal_assert and exists(goal_assert_as)
define flg_same_ovr('Also set',8,cond) true where,
exists(goal_assert_recorder) and,
not(goal_assert) and not(goal_override)
sortlist,
complex('System',0),
standard(0),
standard_version("Ver",0),
:system.unload_datetime(18),
system:system.system.collect_datetime(18),
control(0),
control:$cntrlown.rulenm.cntrlown("Owner"),
control_caption(0),
control_desc(0),
auditpriority(0),
flg_noncomply(nd),
flg_compliant2('Compliance State',STR$BLANK('Compliant'),0) |,
flg_noncomply('',STR$BLANK('Non-Compliant'),0) |,
flg_undecided('',STR$BLANK('Undecided'),0) |,
control_not_applicable('',STR$BLANK('N/A'),0) |,
goal_assert_expired('',STR$BLANK(' Expired'),0) |,
rule_exempt('',STR$BLANK('Exempt'),0),
goal(0),
goal_desc(0),
:class(nd),
system(0),
proftype(0),
volser_key(0),
class(0),
:profile(0),
resource(0),
goal_test_result(hb,'Found',0),
goal_override(12,'Overridden'),
flg_same_ovr("Overidden State"),
flg_asserted('Asserted'),
goal_assert_as('Assert State',0),
goal_assert_expired('Assert Expired',0),
goal_assert_enddate('Expire Date',9),
goal_assert_recorder('Asserted ID',0),
goal_assert_by('Assert by',0),
goal_assert_comment('Assert Comment',0),
suppress('Suppressed',0) suppress_reason(0)
------------------------------
Nathan Shrive
------------------------------